Zen and the Art of Breaking Security - Part I

the end of the day, any software implementation boils down to running some machine language instructions on a CPU  and these operations are not instantaneous. Depending on how the program goes through different logical paths, some actions will take longer, some shorter.

We normally completely ignore this level of detail, and only care about if the system is fast or slow, or if the Web page takes more than two seconds to download. But imagine you have a hardware chip that accepts a 30-character passphrase to unlock a safe. In his third Mission: Impossible, Tom Cruise managed to steal the board and gave it to you to find the passphrase (Hollywood can only do so much). The board contained a single chip. Had it been like a regular motherboard, with different subsystems, an attacker, by recording the traffic on the buses, would have access to the machine code and data as they are transferred from the memory, so the attack would have been significantly easier.

The 240-bit key is not something fun to attack by brute-forcing the entire keyspace. For the example's sake, let's consider that the implementation is poorly designed and that although the password check only begins after the entire password is typed in, the passphrase is actually checked character by character. If the first character is correct, the check goes to the next character; if not, the code generates a beep and exits. The second character is checked now, and so on.

A human user would instantly hear the beep. If the board is connected to a logic analyzer, however, we can time with very good precision how long it takes from the moment we input the password until the command signal to the buzzer is sent. We first try with a password consisting of 30 '\0' (characters with the ASCII code 0). Then we move to the next possible value of the first character, 01 in ASCII, leaving the rest unchanged. And so on, until we exhaust all 256 possible values.

For all but one attempt, the beep will come after whatever time is needed to initialize the check and go up to the password verification of the first character which fails, and to jump to the beeper routine. For the correct character, though, the time needed will be slightly longer because the first character was correct and the code proceeded to the next one (so more instructions are executed until the beep comes out).

For each character, we only need to iterate through 256 values, keeping the previous as found and the rest fixed. The number of possible values to check is dramatically reduced, from 2^240 in the most unfavorable case of the sheer brute force, to 256 x 30 = 7680 trials, a piece of cake. A quick reality check: since the logic analyzer is not infinitely precise but samples the signals at its own limited rate, for very fast systems a single password attempt can be repeated multiple times, so the time difference becomes measurable.

Many readers might point out that (a) the attacker would not know that the password check is character by character, and (b) the mechanism is silly and no real security product would use it. Regarding (a), it could be possible for such information to be available  Mr. Cruise could have obtained some blueprints as well  but even if we don't know, we could try. Timing patterns could reveal useful information about the internal workings of the chip even if they do not lead to the solution in so few steps. Cryptanalysis is a step-by-step process in which any little crumb of information helps the search.

Regarding (b), indeed, the mechanism is silly: the passphrase check is not designed well and there should be a lockout after a number of unsuccessful login attempts. We have chosen this scenario for simplicity. Not that silly i